Eakinomics: Enforcing Data Privacy

Before there was a pandemic, there was a presumption that passing federal data privacy legislation would be a top congressional priority, if only to preempt state laws and provide a single, nationwide standard. With the arrival of the pandemic, modern information technologies – streaming services, online conferencing, app-based services, telehealth, and more – have been central to the response to COVID-19. Using smartphones (and other data-powered tools) to fight the virus, however, means that a data privacy framework that would continue to allow such innovation remains of high importance.

In structuring privacy legislation, an important debate remains who is given the job of enforcing the privacy provisions. As it turns out, there are lots of options – five, according to AAF’s Jennifer Huddleston. In her words:

1) a continuation or expansion of enforcement by the Federal Trade Commission (FTC),
2) the creation of a new agency tasked with data protection,
3) enforcement by state attorneys general (typically in combination with federal enforcement),
4) a limited private right of action, and
5) a broad private right of action with monetary relief.

In choosing, policymakers should pick a mechanism that is consistent with the light-touch regulatory approach that has permitted innovation to flourish and limited uncertainties. This enforcement mechanism should ensure a continuation of the current commitment to protect consumers from measurable harm but not limit the direction of technological development.

A new agency is a doubtful proposition. The needed expertise likely already exists at the FTC and elsewhere, and new agencies set up in a crisis have a dubious track record. Similarly, relying entirely on a private right of action lays the entire effort bare to state-by-state differences in handling litigation. Also, relying on a litigation explosion to solve any problems seems undesirable when examining its existing use in privacy laws such as Illinois’s Biometric Information Privacy Act and its potential for discouraging new technologies.

In the end, Huddleston points to a hybrid approach as a potential compromise between the need for a federal framework and the desire of states to be involved in data privacy enforcement: “Building on the current FTC-centric regulatory approach, and perhaps supplementing it with assistance from state attorneys general (under specific guidelines), would likely prove effective.”

At present, Congress is overwhelmed by the coronavirus and the efforts to combat the crisis. It will not always remain that way. When the day arrives to provide federal data privacy protection law, picking the right enforcement strategy will be a key step.